ISO 2700x Information Security Standards
The ISO 2700x family of standards helps organisations keep information assets secure. These standards will help your organisation manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
The primary goal of information security is to protect information assets against risks, and thus to maintain their value to the organisation. This is commonly expressed in terms of ensuring their confidentiality, integrity and availability – along with related properties such as authenticity, accountability, non-repudiation and reliability.
ISO 27001 provides the requirements for an Information Security Management System (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It helps small, medium and large businesses in any sector keep their information assets secure.
ISO 2700x describes how an organisation can respond to risks with a risk treatment plan: an important part of this is choosing appropriate controls.
The new ISO 27001:2013 is easier to integrate with other management standards like ISO 9001, ISO 22301, ISO 20000 and others.
ISO 27001:2013 also allows more freedom for companies – especially smaller ones – to scale the ISMS to their real needs and thereby avoid unnecessary overhead.
There are now 114 controls in 14 groups and 35 control objectives:
- 5: Information security policies
- 6: Organisation of information security
- 7: Human resource security –controls that are applied before, during, or after employment
- 8: Asset management
- 9: Access control
- 10: Cryptography
- 11: Physical and environmental security
- 12: Operations security
- 13: Communications security
- 14: System acquisition, development and maintenance
- 15: Supplier relationships
- 16: Information security incident management
- 17: Information security aspects of business continuity management
- 18: Compliance: with internal requirements, such as policies, and with external requirements, such as laws.
The new and updated controls reflect changes to technology affecting many organisations, for instance, cloud computing.